diff --git a/apps/emqx/src/emqx_access_control.erl b/apps/emqx/src/emqx_access_control.erl index 1ef885ed5..a679e6a5e 100644 --- a/apps/emqx/src/emqx_access_control.erl +++ b/apps/emqx/src/emqx_access_control.erl @@ -59,9 +59,8 @@ check_acl_cache(ClientInfo, PubSub, Topic) -> AclResult -> AclResult end. -do_check_acl(ClientInfo = #{zone := Zone}, PubSub, Topic) -> - Default = emqx_zone:get_env(Zone, acl_nomatch, deny), - case run_hooks('client.check_acl', [ClientInfo, PubSub, Topic], Default) of +do_check_acl(ClientInfo, PubSub, Topic) -> + case run_hooks('client.check_acl', [ClientInfo, PubSub, Topic], allow) of allow -> allow; _Other -> deny end. diff --git a/apps/emqx/test/emqx_access_control_SUITE.erl b/apps/emqx/test/emqx_access_control_SUITE.erl index e4a888d14..ffe3f4fac 100644 --- a/apps/emqx/test/emqx_access_control_SUITE.erl +++ b/apps/emqx/test/emqx_access_control_SUITE.erl @@ -39,13 +39,6 @@ t_authenticate(_) -> ?assertMatch({ok, _}, emqx_access_control:authenticate(clientinfo())). t_check_acl(_) -> - emqx_zone:set_env(zone, acl_nomatch, deny), - application:set_env(emqx, enable_acl_cache, false), - Publish = ?PUBLISH_PACKET(?QOS_0, <<"t">>, 1, <<"payload">>), - ?assertEqual(deny, emqx_access_control:check_acl(clientinfo(), Publish, <<"t">>)), - - emqx_zone:set_env(zone, acl_nomatch, allow), - application:set_env(emqx, enable_acl_cache, true), Publish = ?PUBLISH_PACKET(?QOS_0, <<"t">>, 1, <<"payload">>), ?assertEqual(allow, emqx_access_control:check_acl(clientinfo(), Publish, <<"t">>)). diff --git a/apps/emqx/test/emqx_mqtt_protocol_v5_SUITE.erl b/apps/emqx/test/emqx_mqtt_protocol_v5_SUITE.erl index 8ce35b50c..250a959eb 100644 --- a/apps/emqx/test/emqx_mqtt_protocol_v5_SUITE.erl +++ b/apps/emqx/test/emqx_mqtt_protocol_v5_SUITE.erl @@ -197,8 +197,8 @@ t_connect_will_message(_) -> t_batch_subscribe(_) -> {ok, Client} = emqtt:start_link([{proto_ver, v5}, {clientid, <<"batch_test">>}]), {ok, _} = emqtt:connect(Client), - application:set_env(emqx, enable_acl_cache, false), - application:set_env(emqx, acl_nomatch, deny), + ok = meck:new(emqx_access_control, [non_strict, passthrough, no_history, no_link]), + meck:expect(emqx_access_control, check_acl, fun(_, _, _) -> deny end), {ok, _, [?RC_NOT_AUTHORIZED, ?RC_NOT_AUTHORIZED, ?RC_NOT_AUTHORIZED]} = emqtt:subscribe(Client, [{<<"t1">>, qos1}, @@ -209,7 +209,7 @@ t_batch_subscribe(_) -> ?RC_NO_SUBSCRIPTION_EXISTED]} = emqtt:unsubscribe(Client, [<<"t1">>, <<"t2">>, <<"t3">>]), - application:set_env(emqx, acl_nomatch, allow), + meck:unload(emqx_access_control), emqtt:disconnect(Client). t_connect_will_retain(_) -> diff --git a/apps/emqx_authz/src/emqx_authz.erl b/apps/emqx_authz/src/emqx_authz.erl index 24393a4b0..fde1169de 100644 --- a/apps/emqx_authz/src/emqx_authz.erl +++ b/apps/emqx_authz/src/emqx_authz.erl @@ -150,22 +150,22 @@ b2l(B) when is_binary(B) -> binary_to_list(B). %% @doc Check ACL -spec(check_authz(emqx_types:clientinfo(), emqx_types:all(), emqx_topic:topic(), emqx_permission_rule:acl_result(), rules()) - -> {ok, allow} | {ok, deny} | deny). + -> {stop, allow} | {ok, deny}). check_authz(#{username := Username, peerhost := IpAddress - } = Client, PubSub, Topic, DefaultResult, Rules) -> + } = Client, PubSub, Topic, _DefaultResult, Rules) -> case do_check_authz(Client, PubSub, Topic, Rules) of {matched, allow} -> - ?LOG(info, "Client succeeded authorizationa: Username: ~p, IP: ~p, Topic: ~p, Permission: allow", [Username, IpAddress, Topic]), + ?LOG(info, "Client succeeded authorization: Username: ~p, IP: ~p, Topic: ~p, Permission: allow", [Username, IpAddress, Topic]), emqx_metrics:inc(?ACL_METRICS(allow)), {stop, allow}; {matched, deny} -> - ?LOG(info, "Client failed authorizationa: Username: ~p, IP: ~p, Topic: ~p, Permission: deny", [Username, IpAddress, Topic]), + ?LOG(info, "Client failed authorization: Username: ~p, IP: ~p, Topic: ~p, Permission: deny", [Username, IpAddress, Topic]), emqx_metrics:inc(?ACL_METRICS(deny)), {stop, deny}; nomatch -> - ?LOG(info, "Client failed authorizationa: Username: ~p, IP: ~p, Topic: ~p, Reasion: ~p", [Username, IpAddress, Topic, "no-match rule"]), - DefaultResult + ?LOG(info, "Client failed authorization: Username: ~p, IP: ~p, Topic: ~p, Reasion: ~p", [Username, IpAddress, Topic, "no-match rule"]), + {stop, deny} end. do_check_authz(Client, PubSub, Topic, diff --git a/apps/emqx_authz/test/emqx_authz_SUITE.erl b/apps/emqx_authz/test/emqx_authz_SUITE.erl index 88e250377..d036d1dec 100644 --- a/apps/emqx_authz/test/emqx_authz_SUITE.erl +++ b/apps/emqx_authz/test/emqx_authz_SUITE.erl @@ -39,7 +39,6 @@ end_per_suite(_Config) -> set_special_configs(emqx) -> application:set_env(emqx, allow_anonymous, true), application:set_env(emqx, enable_acl_cache, false), - application:set_env(emqx, acl_nomatch, deny), ok; set_special_configs(emqx_authz) -> application:set_env(emqx, plugins_etc_dir, @@ -145,7 +144,7 @@ t_authz(_) -> Rules3 = [emqx_authz:compile(Rule) || Rule <- [?RULE3, ?RULE4]], Rules4 = [emqx_authz:compile(Rule) || Rule <- [?RULE4, ?RULE1]], - ?assertEqual(deny, + ?assertEqual({stop, deny}, emqx_authz:check_authz(ClientInfo1, subscribe, <<"#">>, deny, [])), ?assertEqual({stop, deny}, emqx_authz:check_authz(ClientInfo1, subscribe, <<"+">>, deny, Rules1)), diff --git a/apps/emqx_coap/test/emqx_coap_SUITE.erl b/apps/emqx_coap/test/emqx_coap_SUITE.erl index 73c9ef162..416c99018 100644 --- a/apps/emqx_coap/test/emqx_coap_SUITE.erl +++ b/apps/emqx_coap/test/emqx_coap_SUITE.erl @@ -289,6 +289,7 @@ t_acl(Config) -> ok end, + ok = emqx_hooks:del('client.check_acl', {emqx_authz, check_authz}), file:delete(filename:join(emqx:get_env(plugins_etc_dir), 'authz.conf')), application:set_env(emqx, plugins_etc_dir, OldPath), application:stop(emqx_authz).